Open jmgomez-IAA opened 5 years ago
Construir herramientas para hacer ingnieria inversa empleando python
socat allows us to create an man-in-the-middle attack to the UART ttyUSB traffic.
socat -d -d pty,link=/dev/ttyUSB0,raw,echo=0,b115200 pty,raw,echo=0,b115200 Option -d -d , selets the debugging level. The type is 'pty', pseudo serial port. We need a ‘raw port’, one which sends only the exact character.
We are ussing 3 shells:
Create a virtual serial port, which should forward commands to a file. In the our case the ftdi creates 2 devices:
$]# ls /dev/ttyU*
/dev/ttyUSB0 /dev/ttyUSB1
The /dev/ttyUSB1 device is the one in use. So let's create a virtual port and associate (tunnel) to dev/ttyUSB1 using socat.
Shell1 $]# sudo socat /dev/ttyUSB1,raw,echo=0 SYSTEM:'tee uart_input.bin | socat - "PTY,link=/dev/ttyUSB2,raw,echo=0,waitslave" | tee uart_output.bin'
Device /dev/ttyUSB2 should be created if socat success.
grmon > batch sample_script_with_commands.tcl
grmon > quit
Now the transmited data from the shell2 to /dev/ttyUSB2 is stored (in binary) in the file uart_output.bin. And the received data to the /dev/ttyUSB1 is stored in (uart_input.bin).
$]# xdd <uart_output.bin
$]# xdd <uart_input.bin
wireshark intercept data from usbmon.
$]# sudo yum install wireshark-gnome wireshark
Capture the ftdi traffic
$]# lsusb
Bus 002 Device 002: ID 8087:8002 Intel Corp. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:800a Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 002: ID 17aa:1034
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 003: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller Bus 003 Device 002: ID 17aa:1034 Bus 003 Device 017: ID 0403:6010 Future Technology Devices International, Ltd FT2232C/D/H Dual UART/FIFO IC
Among others there is an Ltd FT2232C/D/H Dual UART/FIFO with Device ID 0403. That is our FTDI converter.
It is located on USB Bus 0003, so Wireshark should intercept traffic on usbmon3.
We have to load usbmon kernel module for sniffing the FTDI
Lets create a filter to receive only data of our interest:
usb.device_address == 17
Monitoring (Sniffing) /dev/ttyUSB0 created by FTDI USB Serial Converter Capturing USB Serial data using wireshark Building Wireshark 2.4.0 for CentOS 7
echo -n "0000:08:00.0" | tee /sys/bus/pci/drivers/xhci_hcd/unbind
udit-d46:/homecho -n "0000:08:00.0" | tee /sys/bus/pci/drivers/xhci_hcd/bind
Uso avanzado de Hexdump